from the do-as-we-say,-not-as-we-do dept

We've noted for some time how Chinese hardware vendor Huawei has been consistently accused of spying on American citizens without any substantive, public evidence. You might recall that these accusations flared up several years ago, resulting in numerous investigations that culminated in no hard evidence whatsoever to support the allegations. We're not talking about superficial inquiries, we're talking about eighteen months, in-depth reviews by people with every interest in exposing them. One anonymous insider put it this way in the wake of the last bout of hysteria surrounding the company:

"We knew certain parts of government really wanted” evidence of active spying, said one of the people, who requested anonymity. “We would have found it if it were there."

Never mind that almost all U.S. network gear is made in (or comprised of parts made in) China. Never mind that years of reports have shown the United States spies on almost everyone, constantly. Never mind that reports have emerged that a lot of the spy allegations often originate with Huawei competitor Cisco, which was simply concerned with the added competition. Huawei is a spy. We're sure of it. And covert network snooping is bad. When China does it.

Worries over Huawei bubbled up again recently when the U.S. government pressured both AT&T and Verizon to kill off plans to sell Huawei phones here in the States. It should be noted that Huawei phones are already available here, and the company has worked with several U.S. companies to gain a foothold in the U.S. market (like when it partnered with Google on the Nexus 6P). It should also probably be noted that in the modern era, you can't really differentiate between where a company like AT&T ends and the NSA begins, given the telco's extreme enthusiasm for spying on American citizens itself.

This week, hysteria concerning Huawei again reached a fevered pitch, as U.S. intelligence chiefs, testifying before Congress over Russian hacking and disinformation concerns, again proclaimed that Huawei was spying on American citizens and their products most assuredly should not be used:

"At the hearing, FBI Director Chris Wray testified, “We’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks." Purchasing Huawei or ZTE products, Wray added, “provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage."

Which values would those be, exactly? Would it be the values, as leaked Edward Snowden docs revealed, that resulted in the NSA hacking into Huawei, stealing source code, then attempting to plant its own backdoors into Huawei products? Or perhaps it's the values inherent in working closely with companies like AT&T to hoover up every shred of data that touches the AT&T network and share it with the intelligence community? Perhaps it's the values inherent in trying to demonize encryption, by proxy weakening security for everyone?

News outlets, semi-oblivious to their own nationalism, quickly ignored the NSA's hypocrisy when it comes to worrying about values and regurgitated the intel chiefs' concerns. Few could also be bothered to note that numerous investigations have culminated in bupkis, the NSA has routinely and consistently been caught doing precisely what they accuse Huawei of, or that American companies tend to drum up hysteria on this front simply because they're afraid of competition (protectionism we routinely and justly accuse China of).

Focusing on Huawei also seems semi-myopic, given the fact that Chinese hardware can already be found in an absolute ocean of products available here in the States, many of which are made by U.S. hardware vendors. It also ignores the fact that if somebody really wants to hack us, all they need to do is spend five seconds hunting down one of a million poorly secured internet of broken things devices, which create millions of new easily-exploited attack vendors annually in businesses and residences nationwide.

None of this is to say it's impossible that Huawei has helped the Chinese government spy, much like our own companies here in the States. But if you're going to discuss this subject, you can't have an honest conversation without highlighting our own hypocrisy on this front, given it's abundantly clear that we're perfectly OK with unethical behavior, backdoors, and spying with negligible oversight and accountability -- provided the United States is the one doing it.

from the evidence-schmevidence dept

Last week we noted how AT&T was forced to scrap a partnership with Huawei to sell the company's smartphones here in the States, just hours before it was set to be announced at CES. The reason? Apparently a few members of the Senate and House Intelligence Committees fired off a letter to the FCC demanding that they pressure US telcos into avoiding Huawei. The letter, which nobody has published, allegedly accuses the company of being little more than an intelligence proxy for the Chinese government.

There are several problems with this. While it's certainly possible that Huawei helps the Chinese government spy, there's been no hard evidence of this. In fact, numerous investigations (including one eighteen months long) found no evidence of any spying whatsoever. What inquiries did find is that these allegations pretty consistently originate with U.S. hardware vendors like Cisco, who routinely enjoy playing up the threat simply because they don't want to compete with Chinese hardware vendors. You know, the very same thing we routinely (often quite accurately) complain about China doing.

Despite no real evidence, a new Reuters report indicates this new pressure is much greater than just AT&T's smartphone partnership. In fact, the report suggests that the government is now urging all US telcos and ISPs to avoid using any Huawei gear whatsoever if they want to continue winning government contracts (and as an NSA BFF, AT&T has plenty of contracts to protect). From the report:

"The lawmakers are also advising U.S. firms that if they have ties to Huawei or China Mobile, it could hamper their ability to do business with the U.S. government, one aide said, requesting anonymity because they were not authorized to speak publicly.

One of the commercial ties senators and House members want AT&T to cut is its collaboration with Huawei over standards for the high-speed next generation 5G network, the aides said. Another is the use of Huawei handsets by AT&T’s discount subsidiary Cricket, the aides said.

And while Reuters mentioned that there have been investigations, it oddly forgets to mention what the outcome of those investigations were (again, zero evidence of spying). Also ignored is the fact that Chinese networking hardware is absolutely everywhere in the States, including being embedded in many of the products sold by U.S. manufacturers. If China wants to spy on America, it only need turn to the ocean of poorly secured IOT devices, the lion's share of which are now made in China by companies with a complete and total disinterest in anything even vaguely resembling security standards.

Similarly and comedically ignored is the fact the United States government engages in this kind of behavior all of the time. You might recal the NSA was caught intercepting Cisco hardware to install surveillance technology a few years ago. The Snowden documents also revealed how the NSA hacked into Huawei and stole company source code as early as 2007, all in the hopes of planting backdoors in network hardware used by countries who avoid buying American gear. Everyone but the most ardently myopic patriots realize that the United States' credibility on this subject was dismantled decades ago.

This latest wave of hysteria comes simultaneously and not-coincidentally as Representatives Michael Conaway and Liz Cheney introduced a bill banning US carriers from doing any business whatsoever with Huawei or ZTE Corp (two guesses on which companies are pushing for that law). Again, it's perfectly possible that Huawei helps the Chinese government spy. But if that's the case, it shouldn't be too difficult to provide some hard evidence supporting this position. Unless, of course, this is all little more than an adorable little stage play concocted simply to protect US hardware vendors from having to actually compete.

Nearly every plot we uncover has a digital element to it. Go online and you will find your own “do-it-yourself” jihad at the click of a mouse. The tentacles of Daesh (Isil) recruiters in Syria reach back to the laptops in the bedrooms of boys – and increasingly girls – in our towns and cities up and down the country. The purveyors of far-Right extremism pump out their brand of hate across the globe, without ever leaving home.

The scale of what is happening cannot be downplayed. Before he mowed down the innocents on Westminster Bridge and stabbed Pc Keith Palmer, Khalid Masood is thought to have watched extremist videos. Daesh claim to have created 11,000 new social media accounts in May alone. Our analysis shows that three-quarters of Daesh propaganda stories are shared within the first three hours of release – an hour quicker than a year ago.

An hour quicker! In internet time, that's practically a millennium. It's tough to tell what Rudd's attempting to make of this technobabble. Is she suggesting future Masoods will act quicker because they'll be able to complete their viewing of extremist videos faster? If that's the case, maybe regulators need to step in and throttle broadband connections. The more the video buffers, the less likely it is someone will watch it… and the less likely it is someone will carry out an attack. The math(s) work out.

Unfortunately, this is not where the op-ed is heading. Sadly, Rudd is here to take a swing at encryption. But she takes a swing at it in prime passive-aggressive, Ike Turner-style, saying she loves it even as the blows rain home.

Encryption plays a fundamental role in protecting us all online. It is key to growing the digital economy, and delivering public services online.

I ain't mad at ya.

But, like many powerful technologies, encrypted services are used and abused by a small minority of people. The particular challenge is around so called “end-to-end” encryption, where even the service provider cannot see the content of a communication.

But you mess me up so much inside.

To be very clear – Government supports strong encryption and has no intention of banning end-to-end encryption. But the inability to gain access to encrypted data in specific and targeted instances – even with a warrant signed by a Secretary of State and a senior judge – is right now severely limiting our agencies’ ability to stop terrorist attacks and bring criminals to justice.

In a fun twist, Rudd doesn't call for harder nerding. (Note: Rudd is visiting Silicon Valley to meet with tech leaders, so it's safe to assume requests for harder nerding will be made, even if not directly in this op-ed.)

No, Rudd doesn't want the impossible: secure, backdoored encryption. Instead, she wants to know if tech companies will just take the encryption off one end of the end-to-end. Her bolstering argument? The public doesn't give a shit about encryption. It just wants easy-to-use communication tools.

Real people often prefer ease of use and a multitude of features to perfect, unbreakable security. So this is not about asking the companies to break encryption or create so called “back doors”. Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and “usability”, and it is here where our experts believe opportunities may lie.

Having set up her straw app user, Rudd moves towards her conclusion… which is severely lacking in anything cohesive or coherent. The "opportunities" lie in persuading tech companies to provide users with less secure communications platforms. Should be an easy sale, especially if the average user doesn't care about security. But maybe the company does and doesn't want to give bad people an easy way to access the communications of others. Hence encryption. Hence end-to-end, so even if the provider is breached, there's still nothing to access.

What Rudd is looking for can't be called a trade-off. The government has nothing tech companies want. All they can offer is platitudes about fighting crime and national security. The government, meanwhile, wants tech companies to write software the way the government wants it, rather than how the company or its users want it. That's not a trade-off. That's a one-way street where every internet communication platform becomes a proxy government agency.

Rudd's idea is bad and she should feel bad. But I get the feeling that no matter how many tech experts she talks to, she's still going to believe her way is the right and best way.

from the adding-hay-to-the-stack-makes-it-harder-to-find-the-needles dept

Soon after the attack in Manchester, the UK government went back to its "encrypted communications are the problem" script, which it has rolled out repeatedly in the past. But it has now emerged that the suicide bomber was not only known to the authorities, but that members of the public had repeatedly warned about his terrorist sympathies, as the Telegraph reports:

Counter Terrorism agencies were facing questions after it emerged Salman Abedi told friends that "being a suicide bomber was okay", prompting them to call the Government's anti-terrorism hotline.

Sources suggest that authorities were informed of the danger posed by Abedi on at least five separate occasions in the five years prior to the attack on Monday night.

London attack ringleader Khuram Butt was identified as a major potential threat, leading to an investigation that started in 2015, UK counterterrorism sources tell CNN.

…

Butt was seen as a heavyweight figure in al-Muhajiroun, whose hardline views made him potentially one of the most dangerous extremists in the UK, the sources said Tuesday. The investigation into Butt involved a "full package" of investigatory measures, the sources told CNN.

Butt was filmed in a 2016 documentary with the self-explanatory title "The Jihadis Next Door", in which a black flag associated with ISIS was publicly unfurled in London's Regent’s Park. Even though police were present during the filming, they did not follow up that incident, according to the Guardian:

Police did not make a formal request for footage or information from the makers of a Channel 4 documentary that featured Khuram Butt, one of the London Bridge attackers.

The broadcaster of The Jihadis Next Door said no police requests were made for film or programme maker's notes to be handed over under the Police and Criminal Evidence Act or Terrorism Act.

An Italian prosecutor who led an investigation into the London Bridge attacker Youssef Zaghba has insisted that Italian officials did send their UK counterparts a written warning about the risk he posed last year and monitored him constantly while he was in Italy.

Giuseppe Amato, the chief prosecutor in Bologna, who investigated Zaghba when he tried to travel from Italy to join Islamic State in Syria in March 2016, told the Guardian that information about the risk he posed was shared with officials in the UK.

Amato added that he personally saw a report that had been sent to London by the chief counter-terrorism official in Bologna about the Moroccan-born Italian citizen.

Manchester and London are not the only cases where the authorities were informed in advance about individuals. A 2015 article in The Intercept looked at ten high-profile terrorist attacks around the world, and found that in every single case, at least some of the perpetrators were already known to the authorities. Strong encryption is not the problem: it is the inability of the authorities to act on the information they have that is the problem. That's not to suggest that the intelligence services and police were incompetent, or that there were serious lapses. It's more a reflection of the fact that far from lacking vital information because of end-to-end encryption, say, the authorities have so much information that they are forced to prioritize their scarce resources, and sometimes they pursue the wrong leads and miss threats.

We wrote about this problem back in 2014, when an FBI whistleblower confirmed what many have been trying to explain to governments keen to extend their surveillance powers: that when you are looking for a needle, adding more hay to the stack makes things worse, not better. What is needed is less mass surveillance, and a more targeted approach. Until Theresa May and leaders around the world understand and act on that, it is likely that more attacks will occur, carried out by individuals known to the authorities, and irrespective of whether they use strong crypto or not.

from the a-comedy-of-errors dept

I've been seeing a few anti-encryption supporters pointing to a new ProPublica report on terrorists using encrypted communications as sort of proof of their position that we need to backdoor encryption and weaken security for everyone. The article is very detailed and thorough and does show that some ISIS folks make use of encrypted chat apps like Telegram and WhatsApp. But that's hardly a surprise. It was well known that those apps were being used, just like it's been well known that groups like Al Qaida were well aware of the usefulness of encryption going back many years, even predating 9/11. It's not like they've suddenly learned something new.

So, the fact that they're now using tools like WhatsApp and Telegram is hardly a surprise. It also kinda highlights the idiocy of trying to backdoor American encryption. Telegram is not a US company and WhatsApp's encryption is based on the open source Signal protocol, meaning that any American backdoor encryption law isn't going to be very effective.

But, really, what strikes me, from reading the whole article beyond the headline notion of "ISIS uses encryption," is that it lists example after example of the fact that folks in ISIS use encryption badly and often seem prone to revealing their information. This is not unique to ISIS. Lots of people are not very good about protecting themselves. Hell, I'm probably not very good about my own use of encryption. But, of course, I'm also not trying to blow things up or kill people. Either way, story after story after story in the article highlights the rather bumbling aspects of teaching ISIS supporters how and why to use encrypted communications and to avoid surveillance. My favorite example:

On Jan. 4, 2015, an exasperated coordinator repeatedly explained to a befuddled caller with a Lebanese accent that he could only bring a basic cell phone to Syria, according to a transcript.

“The important thing is that when you arrive in Turkey you have a small cell phone to contact me,” the coordinator said. “Don’t bring smart phones or tablets. OK, brother?”

For the fourth time, the recruit asked: “So we can’t have cell phones?”

Sounding a bit like a frustrated gate agent at a crowded airport, the coordinator added: “Each of you can only bring one suitcase. If you come alone, just bring one suitcase. That is, a carry-on and one suitcase.”

“I didn’t understand the last thing, could you explain?”

“Brother, call me when you get to Turkey.”

Then there was the case where someone planned a plot using an encrypted WhatsApp conversation, but police were already bugging the guy so they heard what he was saying anyway:

In April, Italian police overheard a senior figure in Syria urging a Moroccan suspect living near Milan to carry out an attack in Italy, according to a transcript. Although the voice message had been sent through an encrypted channel, the Moroccan played it back in his car, where a hidden microphone recorded it.

In the message, the unidentified “sheik” declared: “Detonate your belt in the crowds declaring Allah Akbar! Strike! (Explode!) Like a volcano, shake the infidels, confront the throng of the enemy, roaring like lightning, declare Allah Akbar and blow yourself up, O lion!”

The suspects exchanged recorded messages over WhatsApp, an encrypted telephone application that is widely used in Europe, the Arab world and Latin America

All of these examples keep making the same point that many people have been making for a long time. Yes, encryption hides some aspect of communications. That's part of the point. But the idea that it creates a "going dark" situation is massively exaggerated. There are many other ways to get the necessary information, through traditional surveillance and detective work. And the report suggests that's working. And the fact that many ISIS recruits are particularly unsophisticated in understanding how and when to use encryption only makes that kind of thing easier for people tracking them. In discussing the Paris attacks, for example, the article notes that while some of the attackers were told to use encryption, they didn't.

Abaaoud’s operatives did not always follow security procedures, however. In June of last year, Turkish immigration authorities detained Tyler Vilus, a French plotter en route to Paris with someone else’s Swedish passport. Allowed to keep his cellular phone in a low-security detention center, Vilus brazenly sent an unencrypted text message to Abaaoud in Syria, according to a senior French counterterror official.

“I have been detained but it doesn’t seem too bad,” the message said, according to the senior official. “I will probably be released and will be able to continue the mission.”

Instead, U.S. spy agencies helped retrieve that text and French prosecutors charged Vilus with terrorist conspiracy.

Anyway, it's no surprise that terrorists are going to use encryption. Of course they have been for over a decade and will continue to do so. The issue is that it's not as horrible as law enforcement is making it out to be. Just as plotters have always been able to plan in ways that law enforcement has been unable to track (such as discussing in person, in other languages, or through simple ciphers or codes). That's always happened and somehow we managed to get by. Yes, sometimes law enforcement doesn't get to know absolutely everything about everyone. And that's a good thing. And sometimes, yes, that means that terrorists will be able to plan bad things without law enforcement knowing it. But that's part of the trade-off for living in a free society.

from the try-that-one-again? dept

We've been talking a lot about Rule 41 lately around here. As we've discussed, the DOJ had pushed for an update to the rule, basically granting the FBI much greater powers to hack into lots of computers, including those abroad (possibly creating diplomatic issues). We've been discussing the problems with the DOJ's proposed change for years, and we haven't been alone. Civil liberties groups and tech companies have both blasted the plans, but to no avail.

The amendments do not change any of the traditional protections and procedures under the Fourth Amendment, such as the requirement that the government establish probable cause. Rather, the amendments would merely ensure that at least one court is available to consider whether a particular warrant application comports with the Fourth Amendment.

The amendments would not authorize the government to undertake any search or seizure or use any remote search technique, whether inside or outside the United States, that is not already permitted under current law. The use of remote searches is not new and warrants for remote searches are currently issued under Rule 41. In addition, most courts already permit the search of multiple computers pursuant to a single warrant so long as necessary legal requirements are met.

This is... skirting the truth, at best. Under the existing Rule 41, there are clear limits on warrants that are outside the jurisdiction of the court (see 41(b)). The new Rule 41 wipes away many of those restrictions by adding an entirely new form of warrants for "remote access to search electronic storage media." This is the kind of thing that Congress is supposed to decide upon, not the courts at the behest of the DOJ. If Congress hasn't granted this authority, it's pretty ridiculous for the courts to just do it on their own, and, furthermore, to insist this is little more than an administrative change.

The DOJ also leaves out that the new rules also effectively wipe out the requirement to give a copy of the warrant to the person whose computers are being hacked. Yes, the new rules require a "receipt" but they switch to a "reasonable efforts" standard, rather than the current standard, which is that they must give it to the person or "leave a copy" where the property was taken. That pretty much guarantees that some of the people who are hacked following this won't even know about it.

And if it were really true that this new rule doesn't change anything, then why is the DOJ pushing so hard for it? Remember that a bunch of courts have been throwing out some of these searches as being illegal, so clearly there's an issue here.

The DOJ insists that the new rules only apply in narrow cases WHERE YOU SHOULD ALL BE AFRAID because EXPLOITED CHILDREN ARE AT RISK IF YOU DON'T ALL SHUT UP.

First, where a suspect has hidden the location of his or her computer using technological means, the changes to Rule 41 would ensure that federal agents know which judge to go to in order to apply for a warrant. For example, if agents are investigating criminals who are sexually exploiting children and uploading videos of that exploitation for others to see—but concealing their locations through anonymizing technology—agents will be able to apply for a search warrant to discover where they are located. A recent investigation that utilized this type of search warrant identified dozens of children who suffered sexual abuse at the hands of the offenders. While some federal courts hearing cases arising from this investigation have upheld the warrant as lawful, others have ordered the suppression of evidence based solely on the lack of clear venue in the current version of the rule.

I'm all for the DOJ going after people sexually exploiting children. It seems like a pretty good use of their time. But we should always be skeptical when law enforcement starts throwing out "sexually exploited children!" and "terrorism!" as reasons to upend existing rules. Especially when they cover something as important as how broadly the FBI and DOJ can hack into people's computers.

The FBI has a rather long history of abusing its surveillance powers, and especially seeking to avoid strict oversight. Approving such a change just because the DOJ is insisting it's "FOR THE CHILDREN, WON'T YOU PLEASE THINK OF THE CHILDREN!" isn't a particularly good reason. If the DOJ really thinks this kind of expansion of its ability to hack computers both at home and overseas (again: this is a diplomatic nightmare waiting to happen) is really so important, then it should have Congress pass a law, rather than insisting that it's nothing more than an administrative change to clarify a rule.

from the sad dept

Earlier this week, we wrote about a ridiculous misinformation campaign that was being sent around by House Intelligence Committee chair Rep. Devin Nunes against an amendment (sponsored by Reps. Thomas Massie and Zoe Lofgren) to a Defense appropriations bill that would block spending on two different kinds of surveillance "backdoors." First, ending backdoor searches, whereby tons of information on Americans that was collected "incidentally" as part of other searches, and then kept, could be scanned without requiring the showing of probable cause. Second, blocking the NSA from requiring backdoors into encryption technologies. A basically identical amendment easily passed in each of the last two years, but was stripped out before a final bill was approved.

With so much focus on things like iPhone encryption this year, some were wondering how the House would handle the amendment this year, and Nunes apparently decided to ramp up the pure FUD and lies against it, sending around a letter that exploited the Orlando shootings from this weekend, falsely claiming that the bill would block law enforcement/intelligence from scanning the 702 database for connections between the shooter and overseas individuals. This is wrong (never mind the fact that the CIA admitted yesterday that it can't find any connections at all). There are plenty of other tools available, including the ability to get a warrant, for officials to search for the relevant data. Nothing in the amendment would have stopped that at all. It only stops the random sniffing through the database, without cause.

But, apparently such disinformation works. The amendment was narrowly voted down by the house, 198 - 222. Massie has said that he thinks Nunes' propaganda campaign was partly to blame.

Rep. Thomas Massie... the sponsor of the amendment the last three years, said he thought there were two reasons the proposal failed on Thursday. "I think it was about Orlando and a stronger disinformation campaign from the committee," he said, referring to a letter from Intelligence Committee Chairman Devin Nunes... that criticized the amendment.

"We had a stiff headwind," Massie continued. "But I think the winds will eventually change, and we'll prevail one day."

And it appears that Nunes' lies worked so well they were parroted by others during the debate:

Rep. Chris Stewart... who said he rose "to oppose the Massie amendment and the inaccurate accusations that underly it," argued that if the proposal were in effect today, the intelligence community would be unable to search the Foreign Intelligence Surveillance Act database for information on the deceased Orlando shooter, Omar Mateen. FISA is a law used to collect data on foreigners, but the National Security Agency dragnet also catches information on U.S. citizens who interact with those foreigners.

"We should be focused on thwarting terrorist attacks," Stewart said Wednesday, "not on thwarting the ability of intelligence professionals to investigate and stop them."

The only inaccurate accusations, though, are the ones put forth by Stewart here. NOTHING in the amendment would have thwarted anyone's ability to investigate the Mateen shooting or any other attack.

Rep. Bob Goodlatte repeated the same false thing as well:

"This amendment prohibits the government from searching data already in its possession, collected lawfully under section 702 of FISA, to determine whether Omar Mateen was in contact with foreign terrorists overseas."

Except it doesn't.

It's disappointing, if not that surprising, that it appears that the blatant misinformation and lies succeed to convince Congress to sanction practices that appear to be in conflict with the 4th Amendment.

from the sock-puppetry dept

Back in February the FCC voted to open up the captive cable set top box market to competition, potentially opening the door to better, cheaper hardware, but also putting an end to the $21 billion the cable industry makes annually in set top box rental fees. Shortly thereafter the cable industry responded by pushing an absolute torrent of misleading editorials in newspapers and in websites nationwide. Some of these editorials claim set top box competition will result in privacy, security, or piracy Armageddon. Most try to claim set top box competition is some kind of nefarious plan by Google to freeload on cable's "amazing history of innovation."

But the most obnoxious of these editorials have been those trying to claim that the FCC's set top box reform plan will hurt minority communities and diversity. We've long noted how one of the cable industry's favorite lobbying tricks is throwing money at minority groups so they'll parrot bad telecom policy, whether that's supporting the latest merger or opposing net neutrality. In short, many such groups are willing to support policies that actively harm their constituents -- for just the right amount of cash.

Enter Jesse Jackson, who this week penned an Op-ed over at USAToday that right out of the gate starts off on unsteady footing by mentioning the FCC's set top box reform plan in the same breath as "snarling dogs, water hoses and church bombings in the American South":

"National news coverage of the snarling dogs, water hoses and church bombings in the American South were the catalysts to exposing the ugly truths of racism and bigotry in the 1960s. Local news outlets gave new meaning to what the struggle looked like for people on its front lines.
That is why a new proposal at the Federal Communications Commission (FCC) to regulate TV “set top boxes" has raised so much concern."

Wait, what? Because history is filled with racism means the FCC's plan to open up the cable set top box market to competition raises concern? If you've actually bothered to read the FCC's proposal (pdf), all the rules would do would require cable companies to take their existing programming -- and make it available to third party hardware using the delivery methods and copy protection of the industry's choice. If anything the move would result in consumers getting access to more diverse programming options than ever before, given it would eliminate the traditional cable box walled garden, and replace it with hardware that nudges consumers in the direction of an ocean of streaming content.

Just like the cable industry (surely coincidental, right?), Jackson tries to claim that the FCC plan would let hardware vendors obtain cable programming "without any compensation":

"Essentially, the FCC is proposing that small and diverse television programmers such as Revolt and Vme TV hand over their television content to third party device manufacturers without any compensation. These companies could then pull networks apart, ignore copyright protections and dismantle the local and national advertising streams that have traditionally supported high quality, multicultural content."

Again though, that's not true. Cable customers will still pay cable companies the same high rates for the exact same content lineups using the exact same copy protection, users will just be able to access it via a wider variety of hardware. That's much like how third party hardware (like TiVO) work now, except without the costly and cumbersome CableCARD installation. Jackson (or what ever cable lobbyist ghost writer rented his name for the afternoon) preaches on -- pretending he's engaged in a brave civil rights battle:

"Diversity on television and media still matters as much as it did in the 1960s. While new video platforms and content are being developed, the promise of this new medium will not be an immediate substitute for the current range of images and voices now available on TV. Furthermore, the market is already demonstrating its own agility to change with many new devices, streaming options and services bringing traditional television and Internet video onto our screens seamlessly.

Fighting for diversity in programming and media ownership is one thing. Opposing a plan that would actually help diverse communities by making cable cheaper while delivering more diverse content than ever before is something else entirely. Jackson tries to support his shaky position by rattling off a laundry list of politicians and minority groups that oppose the FCC's plan:

"Leaders of the Congressional Black and Hispanic Caucuses have voiced opposition to this proposal; to date, over 80 House Democrats have expressed opposition or serious concerns. Major civil rights organizations, such as the National Urban League and the League of United Latin American Citizens (LULAC), have asked the FCC to pause this proceeding until more empirical data detailing the impacts on diversity is released."

And while it's possible a few members of these groups actually believe (or are mislead to believe) the FCC's plan hurts diversity, all Jackson's laundry list of such groups does is highlight just how pervasive this kind of lobbyist dreck has become. Most consumers frankly have no idea that "astroturf" of this type even exists, and as a result many will be convinced that a plan that actually helps them will do them harm thanks to Jackson's missive. Comcast has found this kind of sock puppetry so effective, it now calls its top lobbyist David Cohen the company's "Chief Diversity Officer."

And while this really is nothing short of disinformation, it speaks volumes about the quality of the cable industry's argument -- and its fear of set real top box competition -- that it needs to resort to grotesque, misleading puppetry of this type.

from the because-that-side-hasn't-been-heard-from-yet dept

With the world mocking the sheer ignorance of their anti-encryption bill, Senators Richard Burr and Dianne Feinstein are doubling down by planning a staff "briefing" on the issue of "going dark" with a panel that is made up entirely of law enforcement folks. As far as we can tell, it hasn't been announced publicly, but an emailed announcement was forwarded to us, in which they announce the "briefing" (notably not a "hearing") on "barriers to law enforcement’s ability to lawfully access the electronic evidence they need to identify suspects, solve crimes, exonerate the innocent and protect communities from further crime." The idea here is to convince others in Congress to support their ridiculous bill by gathering a bunch of staffers and scaring them with bogeyman stories of "encryption caused a crime wave!" As such, it's no surprise that the panelists aren't just weighted heavily in one direction, they're practically flipping the boat. Everyone on the panel comes from the same perspective, and will lay out of the argument for "encryption bad!"

Chief Commissioner Patrick Stevens
Chief Commissioner, Liaison Officer for the Belgian Federal Police
to the United States, Canada, Mexico, and the Bahamas

Colonel Joseph R. Fuentes
Superintendent, New Jersey State Police

As Marcy Wheeler points out, it does seem odd that these two Senators who are on the Senate Intelligence Committee are pushing so strongly on this issue, when the focus on law enforcement should put it squarely in the Senate Judiciary Committee. In fact, it's not even clear that this briefing is officially Intelligence Committee business at all, but rather just a chance for Burr and Feinsten to push their story from the one side that's alreadybeen the most vocal in trying to turn something that isn't actually a problem into something that they insist must be a problem.

The briefing is scheduled to be held this coming Wednesday morning in the Capitol Visitor Center and will be the Senators latest effort to scare the logic out of their colleagues.

A bill proposed in congress this week would require that all users provide identification and register prepaid ‘burner’ phones upon purchase.

[...]

Representative Jackie Speier, the congresswoman who introduced the bill, called the prepaid phone “loophole” an “egregious gap in our legal framework,” one that allowed terrorists and criminals near-complete autonomy and a means for private, anonymous communications.

This "loophole" has existed for years. There's nothing new about burner phones. The only thing "new" is that these were used by the terrorists who attacked Paris. So, of course, a legislator has decided to do something about it.

The Closing the Pre-Paid Mobile Device Security Gap Act of 2016 would place the same identification and record-keeping standards on pre-paid mobile devices as the ones that already exist on traditional contract mobile devices. When customers buy a traditional contract-based phone, they provide basic information such as a name, address, and date of birth, which law enforcement can request with a warrant in order to stop terrorist attacks or other illegal activity.

This bill would direct pre-paid cell phone retailers to collect basic ID information at the time of purchase and share that information with the cellular provider for that individual device. The information would be verified using a credit card, debit card, social security number, driver’s license number, or other information that the Attorney General finds adequate in order to have some record of the transaction. Pre-paid “burner phones” were used in the 9/11 attacks, the failed Times Square bombing, and the Paris attacks. Failure to hold them to the same standard as regular contract phones poses a serious risk to national security.

GIven that burner phones have been associated with criminal activity since forever, if anyone seriously felt the need to close the "loophole," you'd think they'd have accomplished it already. (Here's a failed attempt from 2010, made by Sens. Chuck Shumer and John Cornyn post-Times Square bombing.) What Speier wants to do is generate yet another set of third-party records to be housed by phone providers that can be accessed without warrants.

Even if this passes, it will do little to allow law enforcement agencies to follow up on burners recovered after attacks. Criminals and terrorists won't be presenting identification -- at least not theirs -- to retailers. In fact, they're going to do what they've done before: use straw purchasers or buy directly from resellers who fall outside of the bill's likely purview -- like individuals or online retailers.

This will have little investigative worth, but it will generate a ton of records on people who don't have any option but to buy prepaid phones, whether it's due to credit issues or a lack of verifiable identification. Many won't have the ID options requested, like credit/debit cards. Some may not have state ID/Social Security cards either. Adding this requirement will just inflict further difficulties on people whose lives are filled with difficulties already.

Then there are those who do have these things but would prefer to use a "burner" for conversations/communications they don't want to have linked to a phone that, for all intents and purposes, identifies them. Activists and journalists are two groups that immediately come to mind. So do philandering spouses, but that sort of activity is really none of the government's business -- nor the retailers acting as prepaid phone dragnets on the government's behalf.

And then there will be any number of people who buy prepaid phones simply to leave less of a personally-identifiable digital footprint -- without having to surrender most of their communication options.

In addition to these issues, requiring registration for prepaid phones will both lead to more criminal activity (in the form of a new black market for unregistered phones) and adversely affect smaller retailers who will now be shouldering additional burdens for the government. From a 2013 GSM (Groupe Speciale Mobile) report on registration requirements for SIM cards: (h/t Glyn Moody)

In countries where prepaid users represent the majority of the mobile communications market, the costs to mobile operators of implementing new registration processes can be significant including:

• Training staff and retailers i.e. on how to register users, what the acceptable forms of identity are and how to verify them; • Investing in public awareness campaigns to inform their customers about the need to register; • Ensuring that customer data databases are accurately updated, maintained and secured; • Monitoring compliance and deactivating all unregistered SIM cards after the imposed deadline; and • Verifying, copying and storing users’ identity documents.

The report also recommends:

Governments considering mandating the registration of prepaid users should seek to consult with industry stakeholders and conduct impact assessments before introducing regulation.

Right now, the only entity that has been consulted is Rep. Speier's gut instinct. It says, "Do something!"

Certainly a cell provider can gather any information it wants in exchange for providing phone service, but third parties like Wal-Mart and Target shouldn't be put in the position of tracking certain people who make certain purchases. As useful as it may be to have this information lying around (and that's certainly disputable), Speier's proposal will do little to prevent attacks and criminal activity while harming the privacy interests (and more) of her constituents.